New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
module_utils: require X_OK when checking cwd sanity #69201
base: devel
Are you sure you want to change the base?
Conversation
The CI errors look like false alarms. |
Closing and re-opening to trigger a new CI build, as explained in https://docs.ansible.com/ansible/latest/dev_guide/testing.html#rerunning-a-failing-ci-job |
/rebuild_failed |
Hi @seirl, could you please add a changelog entry to this PR, as well as an integration test to show the new behavior is correct? Thanks! |
Sure, could you point out where this test would fit? The commit that introduces this function doesn't have a test attached to it, so I'm not sure where the previous behavior was tested. |
Every time an Ansible module is run, it checks that it is running from a "sane" working directory, a.k.a where it has the permission to be. This is because when running commands, it might temporarily change its working directory, then later restore pop the cwd to the previous one. Therefore, if the module is not run from a working directory where it has the permission to be, the module will execute fine, but then fail when trying to restore to the previous directory. Up until now the way this cwd "sanity" was checked was by checking for the F_OK and R_OK permissions, which respectively check that the directory exists and is readable. However, this is actually not sufficient to check whether you can cwd to it! You also need to check for X_OK, which for directories mean that the directory is searchable. See for example: >>> cwd = os.getcwd() >>> cwd '/root' >>> os.access(cwd, os.F_OK | os.R_OK) True >>> os.access(cwd, os.F_OK | os.R_OK | os.X_OK) False >>> os.chdir(cwd) Traceback (most recent call last): File "<stdin>", line 1, in <module> PermissionError: [Errno 13] Permission denied: '/root' Basically, this means that Ansible will fail every time you run a "become" command from a directory with the mode o+r-x. This commit fixes this issue by adding a requirement for X_OK when checking the sanity of the current working directory.
I added the changelog entry. |
Why would you need to add tests for the whole function? Adding tests that cover the modified parts of the code should be enough for this PR. For example, https://gist.github.com/tadeboro/9d4d9229ce23b943d6a1e75ef05a7147 contains a few tests that cover the cases where the cwd candidates are directories with no executable bit set. (BTW, feel free to steal the code and modify it as needed.) |
@seirl I agree, it doesn't look like there are any unit tests for this specifically. It makes it doubly important to add some then, so we can catch change in behavior in the future. |
This is still on my radar, I'll add the tests when I have the time. |
/azp run |
Azure Pipelines successfully started running 1 pipeline(s). |
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
The branch is too old for the CI to pick it up. Needs rebase. |
SUMMARY
Every time an Ansible module is run, it checks that it is running from a
"sane" working directory, a.k.a where it has the permission to be. This
is because when running commands, it might temporarily change its
working directory, then later restore pop the cwd to the previous one.
Therefore, if the module is not run from a working directory where it
has the permission to be, the module will execute fine, but then fail
when trying to restore to the previous directory.
Up until now the way this cwd "sanity" was checked was by checking for
the F_OK and R_OK permissions, which respectively check that the
directory exists and is readable. However, this is actually not
sufficient to check whether you can cwd to it! You also need to check
for X_OK, which for directories mean that the directory is searchable.
See for example:
Basically, this means that Ansible will fail every time you run a
"become" command from a directory with the mode o+r-x.
This commit fixes this issue by adding a requirement for X_OK when
checking the sanity of the current working directory.
ISSUE TYPE
COMPONENT NAME
module_utils